Ten Steps to Effective Co-Sourcing of Internal Audit

Minakshi Bindhani

17 Mar, 2023

Even the most valued organizations that are versatile in all areas are bound to have gaps in expertise and resource. Some solution-oriented company leaders embrace supplementing resources in many creative ways. Some methods include co-sourcing of internal audit, a partnership between the audit employees and the externally hired professional service firms.

It allows the company to monitor the organization’s critical risk areas, giving the board more assurance that they are being monitored effectively and objectively. Choosing the right firm and model to address the audit issue is complex.

9 ways to get the effective co-sourcing of internal audits

Here are the ten essential steps for boards to ensure that an organization maximizes the value of its audit and gains protection and assurance from its activities.

1. Assess and approve the internal audit charter and review it periodically
   The audits charter is a formal document that provides the audit purpose, authority and responsibility. It establishes the audit’s position within an organization, including the Head of Internal Audit (HIA) position. It also authorizes the audit department’s access to personnel and records relevant to the performance of engagements.
   The charter also defines the scope of the audit activities; it should not be confined to financial or administrative areas; instead, it covers the entire portfolio of organizational risks (operational, strategic, compliance, reporting) and includes assurance and consultancy activities. It is essential to recognize that every audit charter in the organization reflects its risks and unique structure. The charter needs to be reviewed regularly to be up-to-date and represent the full range of expectations of audits.
   The audit’s core activity ensures that the risks are understood and managed appropriately. It may occasionally advise management and directors on risk management, governance and internal control issues. The audit committees must be aware of the risks, ensure sufficient safeguards, and not compromise the audit function.
   Final approval of the audit charter permanently resides with the audit committee^[1], and it is reviewed annually and updated if it reflects any changes in the organization.
2. Ensure a close working relationship with the head of the internal audit, promoting effective formal and informal communication
   To ensure the independence of the audit function and the objectivity of its assessments must be placed on something other than parts of the organization that are themselves subject to audit scrutiny. The head of the audit communicates with the board, audit committee, and other directors, particularly the board chairman. It is essential when the audit team has sufficient reason to believe that senior management has identified residual risk in an organization.
3. Assess the resource of the audit function
   The audit function possessed sufficient resources regarding staff numbers and proficiency to be effective. The audit committee appoints the head of the audit team, and the committee ensures that it approves the selection of the HIA. Furthermore, it ensures the HIA’s objectivity and independence, and the committee oversees the auditor appointment’s termination.
   The HIA demonstrates the audit’s principal risks after carefully considering the extent of risk and monitoring the proposal made by the organization’s CEO to adjust the audit function’s capacity defined in the organization.
   The audit function possesses the skills, knowledge, and other competencies to execute the idea. It includes a balanced set of technical skills that allows an understanding of the types of risk faced by the organization and evaluating the effectiveness of associated risk responses.
   The audit committee ensures that an external assessment of an audit function is conducted at least once every five years – or more frequently. The audit committee chairperson is directly involved in the annual performance appraisal.
   Finally, the audit committee make recommendations on the HIA’s remuneration package to ensure that:
   Their remuneration package is sufficient to attract the calibre of professionals required and ensure a status within the organization that allows them to carry out the assigned responsibilities.
4. Monitor the quality of internal audit work, both internal and external
   The HIA has developed and maintained a quality assurance and improvement programme which covers all aspects of the audit function set by the International standards for the professional practice of auditing. The audit committee reviews such a programme to ensure that it has provided insight into the efficiency of the audit function and identified opportunities for improvement.
5. Approve, evaluate and regularly review the risk-based annual internal audit plan
   The HIA must develop a risk-based plan annually to determine the audit activities within an organization’s goals.
   The HIA considers the organization’s internal control framework. The HIA developed the risk factor set by the board and senior management in the organization. After consultation with senior management and the audit committee, the HIA defined their risk-based assessment criteria as the basis of the audit plan.
6. Oversee the relationship between internal audit and centralized risk monitoring
   The organization is responsible for managing. Generally, many organizations established a centralized risk management function for coordination and developing risk management activities. The best practice for larger organizations is to nominate a chief risk officer (CRO), and smaller organizations may assign the responsibility to another senior executive. The CRO monitors overall risk management capabilities and resources and assists operational managers, and gives reporting on relevant risk information across the organization. Specific responsibilities of a CRO include:
   • Defining roles and responsibilities and establishing risk management policies, defining roles and responsibilities, and
   • Providing a framework of risk management in specific processes, functions or departments of the organization
   • Promoting risk management competence throughout the organization
   • Setting goals for implementation
   • Establishing standard risk management measures.
   • Reporting to the board, CEO, or relevant committee on progress and recommending necessary action.
   • Facilitating managers’ development of risk management and monitoring the reporting process
   • The audit function must coordinate appropriately with the CRO to avoid gaps in organizational risk monitoring.
   • The audit evaluates the governance structure and provides for the effective management of risk in an organization, including appropriately considered and reported risk.
7. Ensure the collective roles of the internal auditor, other internal assurance providers and external audit are coordinated and optimized
   External auditors assure the organization’s shareholders, board and senior management that the organization’s financial statements provide an accurate view of the organization’s financial performance and current financial position. The information gathered by external auditors is typically limited to financial reporting risks. The board and senior management or board committees monitor the organization’s business, strategic, and compliance issues. The senior management, the board and the audit committee.
   The audits consider the planning process and may include follow-up activities to ascertain the effectiveness of management’s corrective actions. Similarly, external audits may consider audit findings to inform their work. The audit committee ensures adequate and effective coordination between internal and external audit activities.
8. Monitor the management implementation of internal audit recommendations
   The head of the Audit team established a follow-up process to ensure that recommendations made by the audit team have been adequately implemented. In cases where the audit team did not comply with the recommendation confirms that the senior management has accepted responsibility for the risks of not taking action.
   The head of the audit team identified the organization as a residual risk that may not be acceptable to the board. In that case, they must discuss the matter with senior management first. The management decision regarding residual risk was explained to the  HIA, and reported the matter to the audit committee.
9. Assess the internal audits findings of audit reports
   The committee formalizes the audit reporting and communication needs, including the required reporting frequency and opinions on management actions. The audit committee includes significant risk exposures identified by the audit team. A report on the fulfilment of the audit plan or any issues regarding the staffing and resources is made available to the audit function. It is linked back to the requirements set out with the audit charter.

Conclusion

The audit committee assesses management actions’ progress to implement the audit recommendations, emphasizing significant control and risk issues. The audit committee discussed significant issues’ causes and followed up with the management team. The audit committee discusses with the head of the Audit team and recommends if the Head of Audit believes that senior management has exposed the organization to a residual risk that may not be acceptable to the board.

Also Read:
Important Checklist for Internal Audit of Private Limited
Effective Steps of Performing an Internal Audit Successfully
The future of Internal Audit: Analysis, insights and prospectus